Sendient Privacy Notice (US) 

Effective: 4 November 2025 

  1. Scope

This Privacy Notice explains how Sendient.ai (“Sendient”, “we”, “our”) collects, uses, and protects personal information in the United States. It applies to our products and services, including SmartEducator, SmartDetector, SmartAssessor, and internal HR/employee systems. 

This notice is designed to meet requirements under: 

  • Federal education and child protection laws (FERPA, COPPA, SOPPA, PPRA, CIPA). 
  • State consumer privacy laws (including CCPA/CPRA – California, VCDPA – Virginia, CPA – Colorado, CTDPA – Connecticut, UTDPA – Utah). 
  1. About Us

Sendient provides AI-driven assessment and compliance products. We are headquartered in the UK, with US operations. 

Controller vs Processor roles: 

  • Controller: Employee data 
  • Processor: SmartEducator (on behalf of schools/educators), SmartDetector (user-submitted text), Sendient HR/employee data, SmartAssessor (on behalf of corporate clients). 
  1. What Data We Collect

Depending on the service, we may collect or process: 

  • Students/education users (via schools): names, identifiers, submissions, grades, feedback, metadata. 
  • SmartDetector users: uploaded text (which may include incidental identifiers). 
  • Corporate users (SmartAssessor): employee/engineer form inputs, compliance data, audit logs. 
  • Employees (HR): contact, payroll, welfare, performance. 
  • Marketing and support: contact details, preferences, IP address, usage data. 
  • Recruitment: CVs, education/employment history, right-to-work info. 
  1. How We Use Data

We use personal information for: 

  • Providing marking and feedback (SmartEducator). 
  • Identifying AI-generated content (SmartDetector). 
  • Compliance checks and certification (SmartAssessor). 
  • HR/payroll and employee welfare (internal). 
  • Research, innovation, and service improvement. 
  • Marketing (with opt-out). 
  1. Legal Bases and Authority
  • Schools/education: FERPA and SOPPA govern school-provided student data. Sendient acts as a Processor, under contract with the school (Controller). 
  • Children under 13: COPPA requires parental consent for data collection; we process only via schools acting “in loco parentis”. 
  • Consumer privacy: For direct users (e.g. SmartDetector), we rely on contractual necessity and legitimate business interests, consistent with state privacy laws. 
  • Employment: For employees, we process under employment contracts and applicable employment law. 

We do not “sell” personal information. We do not share data for targeted advertising. 

  1. Sharing Data

We may share with: 

  • Service providers (e.g. Microsoft Azure US for hosting, Google, Stripe for payments, Kinde for authentication). 
  • Schools/employers (if you are using their services). 
  • Regulators, auditors, or law enforcement, if legally required. 

All providers are bound by contracts and data protection agreements. 

  1. Children’s Privacy
  • COPPA: For children under 13, any data is collected only through schools with parental consent mechanisms. We do not knowingly allow children under 13 to create accounts directly. 
  • FERPA: Schools remain responsible for educational records. Sendient acts as a Processor. 
  • SOPPA (Illinois): Contracts with districts cover security, data breach notification, and deletion requests. 
  1. Your Rights

Depending on your state, you may have the following rights: 

  • Access: to request a copy of the data we hold. 
  • Correction: to update inaccurate data. 
  • Deletion: to request deletion of data. 
  • Data portability: to request transfer of your data. 
  • Opt-out: of the sale or sharing of personal data (we do not sell, but provide this right where required). 
  • Limit use of sensitive data (California). 
  • Appeal rights (Virginia, Colorado). 

Requests can be made via datacontroller@sendient.ai. We will verify your identity before responding. Parents can exercise these rights on behalf of their children. 

  1. Data Retention
  • Student/assessment data: retained for contract duration + up to 2 years, unless earlier deletion requested. 
  • HR/payroll: retained as required by employment/tax law (generally 6 years). 
  • Recruitment: up to 12 months post-process. 
  • Marketing: until you opt out. 

 

  1. How Third-Party Services Access and Use Data

We only use third-party processors necessary to deliver SmartEducator services. 

We do not sell student or teacher data. 

We require all processors to meet or exceed UK GDPR, FERPA, COPPA, and regional education privacy standards. 

Microsoft Azure (Hosting & Processing) 

Category  Details 
Data Accessed  • Student work, assessment content, teacher inputs, and account identifiers stored/processed on Azure
• Metadata needed for application delivery, analytics, and security logging 
Data Usage  • Used solely to run SmartEducator ,SmartAssessor and SmartDetector services and provide AI-assisted marking and feedback
• AI models hosted in the UK/EU/US are used only when student data is processed in the user's chosen region 
Data Sharing  • No sharing of customer content outside Sendient systems
• No data used by Microsoft for model training or product improvement 
Data Storage & Protection  • All data encrypted in transit and at rest
• Hosted in Microsoft Azure under enterprise-grade security
• UK/EU users’ data hosted within UK/EU region unless explicitly chosen otherwise 
Data Retention & Deletion  • Retained only for duration of school contract or as otherwise instructed
• Full secure deletion within 90 days of contract termination
• Deletion requests honoured via school administrator 

 

Microsoft Azure AI Models (UK, Sweden, US) 

Category  Details 
Data Accessed  • Assignment content, Student Submissions and metadata used for AI-assisted grading workflows
• Only data necessary for model operation is transmitted 
Data Usage  • Used solely to carry out marking, feedback, mark scheme/rubric alignment, and analytics
• No data used to train Microsoft's general AI models 
Data Sharing  • No sharing with Microsoft or external parties beyond model inference
• Processing only — no retention outside Sendient systems 
Data Storage & Protection  • Processing within Azure secure environments
• Models operate with encryption and strict access controls 
Data Retention & Deletion  • Data only passed temporarily to AI models for inference
• No persistence beyond processing event 

 

Google Drive (via Edlink Integration) 

Category  Details 
Data Accessed  • Read-only access to assignment files and submissions stored in Google Drive 

• Only for authorised teachers and classes synced via Edlink 

• Access limited to specific files linked to assignments 
Data Usage  • Files retrieved only when a teacher chooses to use AI-assisted grading 

• Used solely to support marking workflows and return feedback to the school 
Data Sharing  • Shared only within the contracted school organisation 

• No third-party sharing beyond Google/Edlink processing 
Data Storage & Protection  • Files stored in encrypted Azure storage 

• Only stored if teacher explicitly requests AI grading 

• Role-based access ensures access only for authorised school users 
Retention & Deletion  • Retained only during contract or teacher opt-in 

• Deleted within 90 days after contract termination or school request 

• Teachers may request deletion anytime 

 

Edlink (Integration partner for Google Classroom & Microsoft Teams) 

Category  Details 
Data Accessed  • Student rosters, class metadata, assignment IDs, and submission links 

Apart from Google Classroom (where Google Drive is used), Student submissions and Assignments plus other assignment materials are also accessed
• Only accessed when a school authorises integration 
Data Usage  • Used solely to sync students, classes, assignments and student submissions for SmartEducator workflows
• No use for advertising, profiling, or analytics beyond school-approved functions 
Data Sharing  • Data shared only between the school, Edlink, and SmartEducator
• No sharing with external third parties 
Data Storage & Protection  • Edlink securely stores integration metadata and access tokens
• Transport encrypted; GDPR/FERPA compliant 
Data Retention & Deletion  • Data retained only while integration is active
• Removal occurs when school disables integration or contract ends 

 

Microsoft Teams for Education 

Category  Details 
Data Accessed  • Class roster data, assignments, submissions, and associated metadata
• Access only with school authorization via Edlink or direct integration 
Data Usage  • Accessed to retrieve and process student submissions for marking
• Only teachers and authorised school staff can initiate transfers 
Data Sharing  • No external sharing beyond school workflow
• Access strictly limited to authorised school users 
Data Storage & Protection  • Files stored only if teacher opts into AI marking
• Stored securely in Azure with encryption and RBAC 
Data Retention & Deletion  • Same as Google Drive: retained for contract term
• Deleted within 90 days of termination or earlier on request 

 

Kinde (Authentication Provider) 

Category  Details 
Data Accessed  • User login details, school/teacher identity attributes, authentication tokens
• No student work or assignment content 
Data Usage  • Used solely to authenticate and authorize users
• No profiling or marketing usage 
Data Sharing  • No data shared outside Sendient and Kinde authentication flow
• Tokens encrypted and access-scoped 
Data Storage & Protection  • Encrypted credentials and tokens stored securely
• Zero-trust and MFA security model enforced 
Data Retention & Deletion  • Authentication data retained only while account is active
• Deleted upon account termination or school request 

 

  1. 11. Security

We use encryption, access controls, secure hosting (Azure US/region-locked), audit logging, and monitoring to protect personal data. 

  1. 12. International Transfers

If US data is accessed or transferred to the UK/EU, we use standard contractual clauses or equivalent safeguards to ensure protection. 

  1. 13. Changes to This Policy

We may update this notice to reflect changes in law or practice. Updated versions will be published on our website. 

  1. 14. Contact Us
  • Email: datacontroller@sendient.ai 
  • Post: Sendient, Stoneythorpe Hall, Southam, Warwickshire, CV47 2DL, UK 
  • US users may also raise concerns with their state Attorney General or Department of Education, depending on applicable law. 

 

 

Appendix: Your State Privacy Rights 

If you live in one of the following states, you may have additional privacy rights under state law. These rights apply alongside the rights already explained in our main Privacy Notice. 

California (CCPA/CPRA) 

  • Right to know what personal information we collect, use, and disclose. 
  • Right to access and request a copy of your personal information. 
  • Right to correct inaccurate personal information. 
  • Right to request deletion of personal information, subject to exceptions. 
  • Right to opt out of the sale or sharing of personal information (we do not sell your data). 
  • Right to limit use of sensitive personal information. 
  • Right not to be discriminated against for exercising your rights. 

Virginia (VCDPA) 

  • Rights to access, correction, deletion, and portability. 
  • Right to opt out of targeted advertising, sale of data, or profiling in certain contexts. 
  • Right to appeal if a request is denied. 

Colorado (CPA) 

  • Rights to access, correction, deletion, portability, and opt-out (targeted ads, sale, profiling). 
  • Right to appeal decisions. 
  • We conduct data protection assessments as required for high-risk uses. 

Connecticut (CTDPA) 

  • Rights to access, correction, deletion, portability, and opt-out. 
  • Consent required for processing sensitive personal data. 

Utah (UTDPA) 

  • Rights to access, copy, delete (user-provided data), portability, and opt-out (sale, targeted ads). 
  • Does not provide correction or appeal rights. 

New York (Education Law §2-d) 

For K-12 student data: 

  • Right to transparency about how data is collected, used, and shared. 
  • Right to data security safeguards aligned with state standards. 
  • Right to be notified of breaches. 
  • Parents may inspect and request correction of their child’s education records. 
  • Vendors (including Sendient) must sign state-compliant contracts with districts. 

Illinois (SOPPA – 105 ILCS 85) 

For K-12 student data: 

  • Right to transparency about what data is collected and shared. 
  • Parents may request to review and correct their child’s information. 
  • Schools and vendors must maintain reasonable security practices. 
  • Vendors must publicly post data agreements with districts. 
  • Breach notification is required within 30 days. 

Florida (Student Online Personal Information Protection Act – F.S. §1006.1494) 

For K-12 student data: 

  • Restrictions on targeted advertising, profiling, or selling student data. 
  • Operators must use security measures to protect student information. 
  • Parents may request deletion of student personal data when no longer needed. 

Texas (Education Code §32.151 et seq.) 

For K-12 student data: 

  • Operators may not sell or misuse student information. 
  • Restrictions on targeted advertising and profiling. 
  • Parents and schools can request deletion of student data when contracts end. 
  • Operators must implement security safeguards and comply with district contracts. 

How to Exercise Your Rights 

  • Contact us at datacontroller@sendient.ai. 
  • We will verify your identity before fulfilling your request. 
  • Parents may exercise these rights on behalf of their children. 
  • If we deny your request, you may have the right to appeal (depending on your state law). 

 

State  Scope  Key Rights for Individuals (Students/Consumers/Parents)  Vendor / Operator Obligations  Notes 
California (CCPA/CPRA)  Consumers (incl. minors)  Access, copy, correction, deletion, portability, opt-out of sale/sharing, limit sensitive data use, no discrimination  Privacy notice, respond to rights requests, honor opt-out, protect sensitive data  Applies broadly, including edtech when dealing direct-to-consumer 
Virginia (VCDPA)  Consumers  Access, correction, deletion, portability, opt-out (ads/sale/profiling), appeal rights  Data protection assessments for high-risk uses  Similar to Colorado/Connecticut 
Colorado (CPA)  Consumers  Access, correction, deletion, portability, opt-out (ads/sale/profiling), appeal rights  Conduct DPIAs, security safeguards   
Connecticut (CTDPA)  Consumers  Access, correction, deletion, portability, opt-out; consent for sensitive data  Data minimisation, security safeguards  Very similar to VA/CO 
Utah (UTDPA)  Consumers  Access, copy, delete (user-provided data), portability, opt-out (sale/ads)  Basic security safeguards  Narrower than others (no correction/appeal) 
New York (Ed Law 2-d)  K-12 student data  Parents: access, correction, transparency, breach notification  Vendors must sign compliant contracts, ensure security  Applies only to education records 
Illinois (SOPPA)  K-12 student data  Parents: access, correction; transparency; breach notice (30 days)  Vendors must post contracts, safeguard data  Schools/districts drive compliance 
Florida (F.S. 1006.1494)  K-12 student data  Parents: deletion requests; protections from profiling/ads  Operators: no targeted ads, no selling, safeguard data  Student-focused protections 
Texas (Ed Code 32.151 et seq.)  K-12 student data  Parents/schools: deletion requests  Operators: no sale, no profiling, safeguard data  Vendor contracts required 

 

Scroll to Top